Reports of new software security incidents and data breaches surface constantly, but many organizations are still struggling to get a handle on application security, particularly in the development process. A recent study by the SANS Institute found that development is included in application security plans in just 35 percent of organizations. Given the risk of vulnerabilities, many onlookers may wonder why more is not being done to implement tools such as static analysis to increase security.
According to the SANS study, only 23 percent of organizations include application security at every stage of the development process. In 30 percent of organizations, application security is considered important but developers and information security teams only interact with each other at certain points in the process. However, in 26 percent of companies, application security reviews occur only at the end of the development process, which researchers noted has been shown to increase the cost and difficulty of developing applications. In 19 percent of companies, there is no security review process for internally developed applications.
Only a small percentage of companies that have an application security program are covering close to 100 percent of their business-critical apps,” report authors Jim Bird and Frank Kim wrote, noting that large organizations face specific management challenges due to scale. “A large number of companies do not even have a good understanding of what applications they are managing, so they cannot be confident that they are securing them.”
Why is application security such a challenge?
When the idea of building techniques such as source code analysis into the development process first emerged as a major trend around a decade ago, it seemed that software security was set to improve dramatically, TechTarget senior editor Jennifer Lent noted in a recent article. While static analysis software and other tools have only improved since then, organizational resistance has prevented their widespread adoption. Trends such as the ones observed in the SANS study can largely be attributed to challenges in assigning responsibility for application security, bad first impressions and economic factors.
One of the biggest impediments to the adoption of secure development processes such as the use of source code analysis software and penetration testing has been in determining who should be responsible for application security, Lent explained. Many organizations assigned the task to IT security teams, but these groups are generally more focused on network security and preventing external attacks. Quality assurance teams, on the other hand, often lacked the security expertise needed to make the most of new solutions. And developers were reluctant to adopt static analysis tools when they came out due to negative first impressions.
Early static analysis programs had high false positive rates, which developers found frustrating and time consuming, Lent wrote. Although these issues have been fixed, many programmers continue to resist the tools based on initial attempts. Additionally, many developers may have felt targeted when initial demonstrations turned up issues in their code construction.
“Developers – who could blame them? – didn’t appreciate being told the code they wrote was vulnerable to attack,” Lent wrote. “And that got application security off to a bad start with the very audience that had the most to gain from adopting these tools.”
Adding to these complications was the fact that source code analysis tools really matured around 2008, just before the economic downturn, Lent explained. With tightly stretched budgets, many organizations prioritized other issues ahead of application security.
Today’s businesses have much to gain in strengthening the development lifecycle to include application security. And with advanced static analysis tools, developers no longer have to worry about the issues that initially turned them away from the technology. Modern solutions are actually more business-friendly to companies continuing to face tight budgets. With source code analysis included in the development process, organizations can cut the cost of fixing bugs right before release or, worse, dealing with a software security incident down the line.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.